Virtual APs with seperate DHCP servers error on 7.15.1

bitmage · June 19, 2024, 5:10pm

I have a hAP ac3 that I’ve just upgraded to 7.15.1 from 7.12.1. It has three virtual APs, and separate DHCP servers and address pools for each, ex: virtual AP virtap has it’s own /24 and uses DHCP server virtap from pool virtap, virtap2 has a different /24, server, and pool.

After upgrading to 7.15.1, I discovered that the DHCP server screen now has “DHCP server can not run on slave interface!” for the DHCP servers that were configured for the virtual APs:

[master@MikroTik] > ip dhcp print
Flags: I - INVALID
Columns: NAME, INTERFACE, ADDRESS-POOL, LEASE-TIME
#   NAME          INTERFACE  ADDRESS-POOL  LEASE-TIME
0   defconf       bridge     dhcp          8h        
;;; DHCP server can not run on slave interface!
1 I virtap2        VIRTAP2     virtap2        4h        
;;; DHCP server can not run on slave interface!
2 I virtap3       VIRTAP3    virtap3       12h       
;;; DHCP server can not run on slave interface!
3 I virtap         VIRTAP      virtap         30m

When tested the servers are working despite the error; new clients to the virtual APs are issued addresses from the correct pool, their leases show the correct server name, etc.

Looking at a config dump from before the upgrade:

/ip dhcp-server
add address-pool=virtap authoritative=yes bootp-support=none disabled=no \
    interface=VIRTAP lease-script="" lease-time=12h name=virtap \
    server-address=192.168.12.1 use-radius=no

was a valid command in 7.12.1. In 7.15.1 it returns the “can not run on slave interface” error.

How should I update the configuration to correct the error so I can perform future updates to the DHCP config?

mkx · June 19, 2024, 6:35pm

This usually happens if such “slave interface” is made a bridge port. In this case bridge interface should be used as anchor interface for DHCP server.

bitmage · June 19, 2024, 7:56pm

Currently all wifi interfaces (real and virtualAP) are part of the same default bridge “bridge”, with the virtual APs as ports on it. But I’m not sure what you meant by using the bridge interface for the DHCP server? Trying to set the interface to “bridge” for the DHCP server returns an error since there’s already a DHCP server there.

ips · June 20, 2024, 3:50am

AFAIK, you cannot have more than one DHCP server on a single L2 domain. What do you want to achieve?

mkx · June 20, 2024, 6:15am

Perhaps you should post full config (run /export file=anynameyouwish from terminal window, fetch the resulting file, open it with text editor, redact any remeining sensitive data such as public IP addresses or serial numbers, and copy-paste it inside [__code] [/code] tag pair). It does seem that there are some more errors in your config which affect the behaviour.

BTW, setting DHCP server (or any other L3 setup, such as IP address) on slave interface (which is bridge port) was always a wrong thing to do … it’s only recent versions of ROS that highlight this fact to users. Behaviour was always on the edge of erratic though.

bitmage · June 20, 2024, 10:06pm

To maintain my current setup, with three virtual APs, each running a DHCP server that hands out addresses from a IP pool dedicated to that virtual AP. (ex: 192.168.12.0/24 for virtual AP 1, 192.168.14.0/24 for virtual AP 2, etc). That’s the setup I’ve been using for years and have had no issues with. Indeed, it’s working fine right now - except I can’t edit or update the DHCP server config anymore as it has suddenly decided it is invalid (but working!)

bitmage · June 20, 2024, 10:45pm

Perhaps you should post full config (run /export file=anynameyouwish from terminal window, fetch the resulting file, open it with text editor, redact any remeining sensitive data such as public IP addresses or serial numbers, and copy-paste it inside [__code] [/code] tag pair).

Thanks, I’ve pasted it below with redactions to get it down to a reasonable size.

/interface bridge
add admin-mac=XXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add comment="comment" interface=\
    ether5 name=vlan101 vlan-id=101
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifiwave2 security
add authentication-types=wpa3-psk disabled=no management-protection=required \
    name=REALAP1 wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=VIRTAP3 wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=VIRTAP1 wps=\
    disable
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.country="United States" .mode=\
    ap .ssid=REALAP1 datapath.bridge=bridge .interface-list=LAN disabled=\
    no security=REALAP1
set [ find default-name=wifi2 ] channel.skip-dfs-channels=all \
    configuration.country="United States" .mode=ap .ssid=REALAP15 \
    datapath.bridge=bridge .interface-list=LAN disabled=no security=\
    REALAP1
add configuration.mode=ap .ssid=VIRTAP1 datapath.client-isolation=yes \
    disabled=no mac-address=0A:55:31:F6:FA:CD master-interface=wifi1 name=\
    VIRTAP1 security=VIRTAP1
add configuration.mode=ap .ssid=VIRTAP3 datapath.client-isolation=yes disabled=\
    no mac-address=0A:55:31:F6:FA:CE master-interface=wifi2 name=VIRTAP3 \
    security=VIRTAP3 security.wps=disable
add configuration.mode=ap .ssid=VIRTAP2 datapath.client-isolation=yes \
    disabled=no mac-address=0A:55:31:F6:FA:CC master-interface=wifi1 name=\
    VIRTAP2 security=VIRTAP2 security.wps=disable
/ip pool
add name=dhcp ranges=192.168.30.100-192.168.30.254
add name=virtap3 ranges=192.168.19.100-192.168.19.254
add name=virtap2 ranges=192.168.20.100-192.168.20.254
add name=virtap1 ranges=192.168.12.2-192.168.12.254
add name=openvpn-pool ranges=192.168.42.10-192.168.42.99
add comment="comment" name=gpool ranges=\
    192.168.21.100-192.168.21.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=8h name=defconf
add address-pool=virtap2 bootp-support=none interface=VIRTAP2 lease-time=4h \
    name=virtap2 server-address=192.168.20.1
add address-pool=virtap1 bootp-support=none interface=VIRTAP1 lease-time=12h \
    name=virtap1 server-address=192.168.12.1
add address-pool=gpool interface=vlan101 lease-time=4h name=gcs
add address-pool=virtap3 interface=VIRTAP3 name=virtap3 server-address=192.168.19.1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action
set 3 remote=192.168.30.15 src-address=192.168.30.1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.30.1/24 comment=defconf interface=ether2 network=\
    192.168.30.0
add address=192.168.20.1/24 interface=VIRTAP2 network=192.168.20.0
add address=192.168.19.1/24 interface=VIRTAP3 network=192.168.19.0
add address=192.168.12.1/24 interface=VIRTAP1 network=192.168.12.0
add address=192.168.21.1/24 comment="comment" interface=\
    vlan101 network=192.168.21.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server config
set store-leases-disk=1h
/ip dhcp-server lease
<static leases removed>
/ip dns
set allow-remote-requests=yes
/ip dns static
<static ips removed>
/ip firewall filter
<firewall rules removed>
/ip ipsec policy
set 0 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.30.0/24 disabled=yes
set ssh address=192.168.30.0/24
set www-ssl certificate=webfig disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=America/New_York
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
add disabled=yes topics=script
add action=remote topics=info
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=script
add action=remote topics=wireless
add action=remote topics=dhcp
add topics=critical
/system note
set show-at-login=no

mkx · June 21, 2024, 5:24am

OK, so according to configuration all the VIRTAP interfaces should be off-bridge (and thus “eligible” for L3 setup). But you should check if this is indeed so:

/interface/bridge/port/print

should not show them listed.

ips · June 21, 2024, 6:22am

Indeed, the virtualAP interfaces are NOT part of the default bridge. Is maybe a bug in the check they apparently recently added?

mkx · June 21, 2024, 12:08pm

I suggest you to open a ticket with support@mikrotik.com … provide them with suppout.rif file, it should become clear pretty quickly.

ips · June 21, 2024, 12:36pm

I am not the OP , but I agree.

bitmage · June 21, 2024, 10:48pm

OK, so according to configuration all the VIRTAP interfaces should be off-bridge (and thus “eligible” for L3 setup). But you should check if this is indeed so:
/interface/bridge/port/print
should not show them listed.

They are present, but show as (D)ynamic:

Flags: I - INACTIVE; D - DYNAMIC; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#     INTERFACE  BRIDGE  HW   PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
;;; defconf
0 I H ether2     bridge  yes     1  0x80             10                  10  none   
;;; defconf
1   H ether3     bridge  yes     1  0x80             10                  10  none   
;;; defconf
2 I H ether4     bridge  yes     1  0x80             10                  10  none   
;;; defconf
3   H ether5     bridge  yes     1  0x80             10                  10  none   
;;; defconf
4     wifi1      bridge          1  0x80             10                  10  none   
;;; defconf
5     wifi2      bridge          1  0x80             10                  10  none   
6  D  VIRTAP1    bridge          1  0x80                                     none   
7  D  VIRTAP2    bridge          1  0x80                                     none   
8  D  VIRTAP3    bridge          1  0x80                                     none

ips · June 21, 2024, 10:52pm

Are they maybe “inheriting” the datapath.bridge property of the master interface? Can you try to unset that property?

bitmage · June 23, 2024, 3:21pm

It does look to be defaulting to that:

[master@MikroTik] > /interface/bridge/port/print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload
<...>
 7  D  interface=VIRTAP2 bridge=bridge priority=0x80 edge=auto point-to-point=no learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no

But it won’t allow me to unset it:

[master@MikroTik] > /interface/bridge/port/unset 7
value-name: bridge
Script Error: action cancelled

I’m wondering if I need to create separate bridges for each virtualAP now? Later edit, that doesn’t work either. Trying to remove the virtualAP from the default bridge through webfig gives an error “can not remove dynamic port (6)”. Trying to edit the bridge port through /interface/bridge/port/edit doesn’t return an error but the change is ignored and it stays bridge=bridge.

mkx · June 23, 2024, 4:25pm

You have to set bridge property in datapath configuration of slave wireless interface to an appropriate setting.

The manual says the following about it:

Bridge interface to add interface to, as a bridge port.
Virtual (‘slave’) interfaces are by default added to the same bridge, if any, as the corresponding master interface. Master interfaces are not by default added to any bridge.

It doesn’t seem it’s possible to unset the value for virtual interfaces. But what does happen if one tries to set it to inexistent bridge? Does it fail to bring interface up? Or does it get added to master’s bridge? Or it remains unconnected (just like @OP wants it to be)?

ips · June 23, 2024, 9:13pm

I would entirely skip the datapath property. You are already manually adding the master interfaces to the bridge. I think that’s suffice. The slave interfaces will not be part of the bridge.

Hominidae · June 23, 2024, 9:24pm

I am using a dedicated VLAN for each AP/SSID to achieve the same results.
Works with Wifi and wireless (new wifi on ac3 with manual VLAN setup on bridge an qcom-ac drivers)…with or without capsman.

bitmage · June 24, 2024, 10:45pm

Tried the datapath option, but it won’t accept setting an empty bridge for the virtAP interface. Opened a ticket with Mikrotik support last week, but no replies so far. May have to try reworking around the dedicated VLAN per virtAP method Hominidae suggested, pointers to good docs on that would be appreciated!

ips · June 24, 2024, 10:50pm

Have you tried to not set the datapath property?

mkx · June 25, 2024, 8:44am

Did you read my previous reply? Virtual (slave) wifi interfaces inherit datapath from master if not set explicitly.